Main navigation

Silent Mojave night: security settings files in macOS Mojave

In amongst the hundreds of thousands of files which together make macOS Mojave work, there are security and other settings files which Apple normally updates silently. These are almost completely undocumented, but can sometimes cause problems, by disabling an old version of Flash, Java, or Silverlight, or even breaking your network connection. Here’s a quick roundup of those which you are most likely to come across.

Core Suggestions Configuration Data
Latest version: 1.0 680.111, 18 August 2018.
These are support data for /System/Library/PrivateFrameworks/CoreSuggestions.framework, to be used in various app features.

CoreLSKD Configuration Data
Latest version: 10.5.0, 17 August 2018.
These are support data for /System/Library/PrivateFrameworks/CoreLSKD.framework and go into /usr/share/kdrl.bundle for internal use.

EFI Allow List
No version given. 23 August 2018.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Macs running Mojave. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here.

Gatekeeper Configuration Data
Latest version: 181, 26 August 2019.
This is an SQLite database which is placed in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db to provide blacklists and whitelists for Gatekeeper’s security system, which checks the code signatures of apps.

Gatekeeper Disk Image Configuration Data
Latest version: 7.2, 17 August 2018.
This provides data for checking signed disk images, which is kept in /var/db/gke.bundle/Contents/Resources/gke.auth It remains unchanged from Sierra.

Incompatible Kernel Extension Configuration Data
Latest version: 14.5.1, 13 May 2019.
This is a list of kernel extensions (KEXTs) which will be excluded at startup, and is stored in /System/Library/Extensions/AppleKextExcludeList.kext. This is a new version, different from that in High Sierra, reflecting Mojave’s updated policies.

MRT Configuration Data
Latest version: 1.61, 28 May 2020.
These are the settings for Apple’s Malware Removal Tool /System/Library/CoreServices/MRT.app and go into that app, so that it can remove any malware which macOS detects.

TCC Compatibility Bundle
Latest version: 140.18, 2020-002 Security Update 24 March 2020
This is a signed bundle at /System/Library/Sandbox/TCC_Compatibility.bundle which contains AllowApplications.plist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up. This is essentially new for Mojave, and only checked in LockRattler version 4.12 and later.

XProtectPlistConfigData
Latest version: 1.0 2122, 28 May 2020.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist,
/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist and /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara.

IncompatibleAppList
Latest version: 1190, 29 October 2018
These settings are placed in /System/Library/PrivateFrameworks/SystemMigration.framework for use by Migration Manager.

Currently, Catalina offers most of these with the same version numbers, but not the Incompatible Kernel Extension Configuration Data, which is replaced by a different mechanism altogether.

I tried to run ‘eficheck’ (just to make sure) and it also says “Primary allowlist version match found. No changes detected in primary hashes.”

But when I’m looking on my EFI partition on MacBook Pro 2017 I see all the files inside /Volumes/EFI/EFI/APPLE/UPDATERS/MULTIUPDATER (like ThorUtil.efi, MultiUpdater.efi and two other *.bin files) have date of Sep 25 so they must be fresh from Mojave Release. But no update to EFI firmware occurred.

May be the reason is just there is simply no new firmware version available for my hardware, but would be nice if you can check which firmware version you have after Mojave Upgrade. And regarding your EFI firmware list, may I ask you where does it come from and how it is updated?

I upgraded my Macs with Mojave Installer running from live macOS system. I know the Upgrade could be also run from Installer USB, but does that make any difference? Is any of these two methods more preferred than the other?

I have not yet updated that list for Mojave release.
I prefer to obtain the list from the most recent macOS standalone updater, because that is usually the most reliable source. I haven’t yet taken the Mojave 10.14 installer apart to see whether I can get an accurate list from that, but hope to look at that in the next few days.
The problem with using the lists in eficheck is that those are allow lists, and include some older versions, and possibly some newer ones from beta releases.
Any method of installing the Mojave release should produce the same result in terms of EFI updates, but I am fairly sure that the Mojave betas also brought EFI updates for most models, so if you ran a beta on your Mac it is already likely to be running the EFI firmware installed from that. Indeed, that version could be intended for more general release in, say, 10.14.1, so it could even be ahead of the game. This is why I like to trust standalone updaters, but we won’t get any until the release of 10.14.1, when I will be able to be more certain of the expected versions.
Howard.

That’s all clear now, checking the current versions from standalone updater is nice. Just have to say, I didn’t try to run any of Mojave Betas directly on my hardware. (I was just testing few things regarding installers in VMware, so possible firmware updates in Betas could not have any affect on my hardware, yet.)

Manoli,
I have now had a chance to examine the EFI firmware updates, and 10.14 doesn’t bring any, so long as you were up to date with 10.13.6 or Sierra security updates. I have updated the EFI firmware listing accordingly.
Howard.